New TCP/IP exploit - affecting Linx kernel

Chat about just about anything else
User avatar
Lucap
Level 5
Level 5
Posts: 919
Joined: Tue May 24, 2016 1:40 am

New TCP/IP exploit - affecting Linx kernel

Post by Lucap »

http://www.theregister.co.uk/2016/08/10 ... nications/
The TCP/IP networking blunder, present in the open-source kernel since version 3.6, can be exploited by miscreants to confirm whether any two systems are talking to each other over a network. Furthermore, it can be abused to break their connections or insert malicious code and data into their communications if the exchange is not properly encrypted. In other words, you can hijack HTTP with this.
Doesn't sound good.
Last edited by Lucap on Fri Aug 12, 2016 1:33 am, edited 2 times in total.
User avatar
Pjotr
Level 22
Level 22
Posts: 15550
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Linux security backfires: Flaw lets hackers inject malware into downloads

Post by Pjotr »

It looks like it's being tackled: https://people.canonical.com/~ubuntu-se ... -5696.html

Don't worry too much. Security vulnerabilities are a common occurrence, on every operating system. That's OK, as long as they're being fixed quickly. That's why we sometimes get security updates on a daily basis... :wink:
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
Lucap
Level 5
Level 5
Posts: 919
Joined: Tue May 24, 2016 1:40 am

Re: New TCP/IP exploit

Post by Lucap »

Any idea what DNE & ignored is all about?
User avatar
Pjotr
Level 22
Level 22
Posts: 15550
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New TCP/IP exploit

Post by Pjotr »

Lucap wrote:Any idea what DNE & ignored is all about?
"ignored" is apparently a label that they've put on kernel packages that have reached end-of-life anyway, or aren't relevant, or have been abandoned. So those won't be fixed.

DNE: I don't know... Maybe an abbreviation of "Doesn't need (it)" or something?

There's an update in the "Notes" section of that Canonical page, by the way:
sbeattie> fix is going to land in Ubuntu kernels in this SRU cycle,
with a likely release date of Aug 27. Earlier access to the kernels
with the fix will be available from the -proposed pocket, though they
come with the risk of being less tested.
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
MajorMuff
Level 3
Level 3
Posts: 170
Joined: Thu Jun 23, 2016 4:41 am
Location: the Netherlands

Re: New TCP/IP exploit

Post by MajorMuff »

Issue was already fixed in the 4.7 kernel.
If it screams it isn't food yet.
User avatar
felemur
Level 5
Level 5
Posts: 535
Joined: Sun Sep 20, 2015 2:22 pm
Location: In the middle of 1000's of acres of corn & soy fields in a house full of cats.

Latest Kernel cover this security flaw?

Post by felemur »

http://www.theregister.co.uk/2016/08/10 ... nications/

But the update manager does not have a 4.7 option....So does Kernel update 4.4.0-34 cover this?
Last edited by karlchen on Fri Aug 12, 2016 7:56 am, edited 1 time in total.
Reason: moved to existing thread about the recently discovered tcp/ip flaw in recent Linux kernels
User avatar
Pjotr
Level 22
Level 22
Posts: 15550
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Latest Kernel cover this security flaw?

Post by Pjotr »

felemur wrote:does Kernel update 4.4.0-34 cover this?
No, the update for the 4.4 series should arrive for Ubuntu on August, 27 (according to the notes on the Canonical page). It'll probably be available for Mint shortly after that.

Don't be overly worried; it's not that there's suddenly a huge *practical* risk for desktop users, in real life... :mrgreen:
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
chrisuk
Level 5
Level 5
Posts: 592
Joined: Thu Jun 12, 2008 6:16 am

Re: New TCP/IP exploit - affecting Linx kernel

Post by chrisuk »

If you've any concerns, just follow the advice in the link in the OP:
As a workaround while patches to fix the problem are prepared and distributed, you can raise the rate limit on your Linux machine or gadget so that it cannot be reached, by appending the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

And then use sysctl -p to activate the new rule. You need to be root to do this.
You can just delete the line from sysctl.conf when a fix is released
Chris

Manjaro MATE - MX Linux - LMDE MATE
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: New TCP/IP exploit - affecting Linx kernel

Post by Fred Barclay »

The "good" news (relatively) is that it appears that https connections aren't as vulnerable... they can be "broken" but not unencrypted.
Or so they say...
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Mintster
Level 1
Level 1
Posts: 43
Joined: Sat Dec 19, 2015 12:36 pm

Kernel vulnerability

Post by Mintster »

There is a kernel vulnerability related to TCP right now. I am using kernel 3.19.0-32-generic and have 17.3 Cinnamon installed. I have no proprietary drivers in use. This is the only setup I have found where my computer runs perfectly. If I upgrade the kernel to 4.4 my screen tears and I have to use proprietary drivers and them my system starts freezing up periodically. I tried Ubuntu Mate 16.04 and Linux Mint 18 with the computer constantly freezing. So this setup works perfectly but I don't know if my kernel is patched and safe. I have the Intel 6700K cpu. Graphics card is "Intel Corporation Sky lake Integrated Graphics." How do I avoid upgrading the kernel or find out if my kernel is safe? thanx
deepakdeshp
Level 18
Level 18
Posts: 8235
Joined: Sun Aug 09, 2015 10:00 am

Re: Kernel vulnerability

Post by deepakdeshp »

Hello,
This is the database for vulnerability

https://www.cvedetails.com/vulnerabilit ... ernel.html
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help, and keeps the forum clean.
Regards,
Deepak

I am using Mint 20 Cinnamon 64 bit with AMD A8/7410 processor . Memory 8GB
Mintster
Level 1
Level 1
Posts: 43
Joined: Sat Dec 19, 2015 12:36 pm

Re: Kernel vulnerability

Post by Mintster »

https://blogs.akamai.com/2016/08/vulner ... ation.html


Vulnerability in the Linux kernel's tcp stack implementation
Akamai InfoSec
By Akamai InfoSec August 10, 2016 6:50 PM
0 Comments

Akamai is aware of a vulnerability, announced at the USENIX Security conference on Aug 10, 2016, which describes a vulnerability in the Linux kernel's tcp stack implementation (kernel versions 3.6 to 4.6). At a high-level, a patient adversary can leverage rate-limited challenge ACK's on a non-secure tcp connection to conduct a hijacking attack.

The Issue

The 3.6 Linux kernel introduced a global challenge ACK counter limit in order to improve tcp's robustness to blind in-window attacks as specified in RFC 5961. However, an attacker can use this global challenge ACK counter to infer the sequence and ack number of an off-path tcp connection. In a typical client/server tcp connection, an attacker can establish connections with the server. Thus, the attacker can establish a number of connections with the server, and send sufficient out-of-window traffic, in order to use up the the entire global challenge ack limit. In this case, the attacker can expect to receive the number of challenge acks that is equal to the challenge ACK counter limit in response. The attacker can then infer information about the sequence number and ack number of the connection by realizing if it has received fewer challenge ACKs in response than the global challenge ACK counter limit.
User avatar
jimallyn
Level 18
Level 18
Posts: 8955
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Kernel vulnerability

Post by jimallyn »

I read the other day that Red Hat has a patch for this. I suspect all the other distros will have it shortly.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
User avatar
Destry
Level 4
Level 4
Posts: 312
Joined: Thu Mar 03, 2016 11:57 am

Linux vulnerability leaves top sites wide open to attackers

Post by Destry »

RT | Aug 11, 2016
http://on.rt.com/7mcm

[snip]

A flaw in the Linux operating system lets hackers inject malware into downloads and expose the identities of people using anonymizing software such as Tor – even for those who aren’t using Linux directly.

In a Wednesday presentation at the USENIX Security Symposium in Austin, Texas, researchers with the University of California, Riverside showed that the flaw lies in the Transmission Control Protocol (TCP) used by Linux since late 2012.

The networking blunder is present in the Linux kernel, the core of its operating system, and can be exploited by malicious actors to determine whether two systems are communicating with each other, and even inject malicious data into or break their connection.

At the symposium, the researchers demonstrated the exploit by injecting code into a live USA Today page that asks visitors to enter their emails and passwords, which was possible because pages on USA Today aren’t encrypted.

Perhaps most importantly, the intercepting of data doesn’t require a man-in-the-middle attack, where a connection will covertly intercept, collect and pass forward information between two parties. Instead, attackers can just send packets of data to the two targets with spoofed credentials.

Pure Off-path TCP attack demo by using a side channel in Recent Linux Kernel
Sec UCR
Aug 5, 2016
https://www.youtube.com/watch?v=S4Ns5wla9DY

Full Report: http://on.rt.com/7mcm
Distro: Linux Mint 19.1
8 core 16 thread Intel Core i9-9900K (-MT-MCP-) arch: Skylake rev.12 cache: 16384 KB 5ghz
32 gig ram 2080Ti Nvidia Zotac Amp Extreme Gaming 11gb
rpark107
Level 1
Level 1
Posts: 1
Joined: Fri Aug 12, 2016 10:23 pm

Re: Kernel vulnerability

Post by rpark107 »

...Read a post on The Register site for the work around below:

As a workaround while patches to fix the problem are prepared and distributed, you can raise the rate limit on your Linux machine or gadget so that it cannot be reached, by appending the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

And then use sysctl -p to activate the new rule. You need to be root to do this.
User avatar
all41
Level 16
Level 16
Posts: 6346
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Linux vulnerability leaves top sites wide open to attackers

Post by all41 »

Light travels faster than sound.
That's why some people appear smart until you hear what they are saying.
uberdorf
Level 4
Level 4
Posts: 238
Joined: Tue Sep 01, 2015 10:15 am

Re: New TCP/IP exploit - affecting Linx kernel

Post by uberdorf »

It looks like the vulnerability got fixed in the kernel update 4.4.0-34.53 for Ubuntu 16.04/LM 18 as of 10 Aug.
http://news.softpedia.com/news/canonica ... 7184.shtml
http://www.ubuntu.com/usn/usn-3055-1/

If so, we should all do the kernel update ASAP.
ostracized

Re: New TCP/IP exploit - affecting Linx kernel

Post by ostracized »

uberdorf wrote:It looks like the vulnerability got fixed in the kernel update 4.4.0-34.53 for Ubuntu 16.04/LM 18 as of 10 Aug.
No. What you're looking for is CVE-2016-5696 which has been patched but has yet to be released in a kernel update from Canonical. Mods, can you please merge this thread with viewtopic.php?f=58&t=226928 to keep the discussion in 1 place?

To make related matters worse, 1.4 billion Android users are also at risk connecting to unencrypted sites. And you also have the additional problem of OEM's who can't be bothered to update an Android phone that's ~2 years old, so you end up have a lot of devices that are vulnerable to multiple pathways of attack. Kinda makes users of "dumb" phones appear to be the "smart" ones.
User avatar
Lucap
Level 5
Level 5
Posts: 919
Joined: Tue May 24, 2016 1:40 am

Re: New TCP/IP exploit - affecting Linx kernel

Post by Lucap »

ostracized wrote: Mods, can you please merge this thread with viewtopic.php?f=58&t=226928 to keep the discussion in 1 place?
Unless there is some confusion amongst the News sites reporting the other thread is about a webpage script exploit against both Windows and Linux users.

This thread is about a similar TCP exploit but specifically against the Linux kernel???
ostracized

Re: New TCP/IP exploit - affecting Linx kernel

Post by ostracized »

This CVE was (very briefly) mentioned in the latest Ubuntu podcast @29:05 as well yesterday. No further discussion than what we already know, other than "I'd expect this patch to go out in a couple weeks."
Post Reply

Return to “Open chat”